Are You Prepared for California’s Data Privacy Laws to Take Effect?


Stronger privacy regulations have gained popularity as a way to ease the impact of data collection ushered in by technology titans Facebook, Google, Amazon and others. How to implement them is the next challengeOpens a new window for businesses.

California, long at the forefront of the technology revolution itself, has led the way with consumer protection laws designed to give citizens the opportunity to control how their personal data is used by companies.

It will be one of the first states to do so, with the California Consumer Privacy Law going into effect on New Year’s Day. This law puts limitations on companies being cleared to use the data without an individual’s knowledge.

Individuals now have the right to access their data, request it be deleted and to know whether it’s being sold and to whom. They can also refuse permission for it to be sold. Just how far does the law reach to companies outside the Golden State?

For starters: It’s targeted at the biggest players, applying to companies doing business in California with an annual gross revenue of $25 million or more; that buy, receive, sell, or share the personal information of 50,000 or more consumers who are California residents; or companies that have 50% or more annual revenues coming from the sale of personal information of California residents.

For companies impacted by the law, technology experts say it will bring a range of new requirements, including additional disclosures and discussions with third-parties handling personal data.

“Most (businesses) will need to update the disclosures in their privacy notices, establish processes for responding to consumer rights requests, observe restrictions on data monetization practices and revisit relationships with vendors that handle personal information on their behalf,” the California law firm Baker HostetlerOpens a new window advises in a blog post.

Tick Tock

While this law will go into effect on January 1, companies still have until July 1 to implement the regulations.

Lawyers for the state government issued guidelines for companiesOpens a new window about notifying consumers and about handling requests for personal data. They provided information on restrictions for data about children under 16 and guidelines for avoiding discrimination against those requesting their data be erased.

Becoming compliant with the new laws will not come cheap for California. Its attorney general’s office has estimated it will cost $55 billion for companies to achieve compliance, plus another $17 billion to implement the accompanying regulations.

The key, experts say, is to provide transparency over how data is collected and then used. Microsoft,Opens a new window which erased more than 10 million photos last year amid privacy concerns, is taking the lead on implementation. It announced in November that it will be compliant with the new laws by the beginning of the year.

In 2018, Microsoft voluntarily extended the core data privacy rights in the European Union’s new data protection laws to customers worldwide, creating a privacy dashboard that customers could use to review and control their personal data.

“Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under (the California  law) to all people in the U.S.,” Julie Brill, Microsoft’s chief privacy officer, wrote in a blog post.Opens a new window

More change may be on the way. While Nevada is the only other state to have implemented privacy regulations, 30 more are considering them.

Stricter initiative coming?

Even stronger protections are up for a vote in California next November. The initiative proposes tightening the law, including a requirement for a ¾-mile “privacy fence” around customers to reduce tracking their movements.

The initiative’s author, Alastair Mactaggart, chairman of the lobby group Californians for Consumer Privacy,  wrote about the need for such controls if companies cannot observe the law’s current requirements.

“This is about power,” said MactaggartOpens a new window . “The more a company knows about you, the more power it has to shape your daily life.”

“That power,”  Mactaggart said, “is exercised on the spectrum ranging from the benign, such as showing you a shoe ad, to the consequential, like selecting your job, your housing, or helping to shape what candidate you support in an election.”